Reflected XSS is the type of XSS attack where the payload included in HTTP request is included in the webpage source without validation.
Since it's a reflected XSS, the harmful code isn't saved in the remote web app. To execute the code on the target's host, some social engineering is needed (e.g. sending a faulty link via email).
Possible points of entry
- URL Query Params
- URL file path
- HTTP headers (although unlikely exploitable in practice)
Once you find the entry point and the way to reflect data in the webpage source, you need to confirm that you can successfully run a JS/PHP code through the payload (code might or might not work depending on where the payload is reflected).